Service Terms

Outputs are probabilistic. The module is designed to assist a qualified user, and a qualified user remains responsible for the work product. An Output may contain errors of fact, omissions, mischaracterisations or citations to authorities that do not exist or that do not stand for the proposition stated. The module does not guarantee accuracy, completeness or fitness for any particular legal purpose, and we do not warrant that an Output is free from these issues.

The Customer agrees that an Authorised User will exercise independent professional judgement before relying on, sending, filing, executing or otherwise acting on an Output. The module is a tool used by the Customer’s lawyer, not a substitute for the lawyer. Outputs do not constitute legal advice from Donna. We are not the Customer’s lawyer, and the lawyer-client relationship runs between the Customer and its own legal advisers.

Where the module returns citations to authorities, sources or passages inside a document, those citations are presented to assist verification. The Customer is responsible for opening the cited source and confirming the proposition. We endeavour to ground citations in the source material visible to the model at the time of generation, but grounding is not a guarantee of legal correctness or current good law.

When a source document is replaced, withdrawn or amended in Documents or in a connected repository, the module attempts to identify Outputs that were grounded in the prior version and to flag them for re-review. The flag is a prompt for the Customer to verify; it is not a guarantee that we will identify every dependent Output. The Customer must not rely on an Output that pre-dates a material change in its source material until the Customer has re-run or re-verified the work.

The Customer is the controller of access to its Spaces. We provide the tools to grant, revoke and audit access. We do not approve, vet or independently verify the people the Customer invites into a Space. The Customer is responsible for ensuring that each invitee is the person the Customer intends to invite and that the invitee’s access is appropriate to the role assigned.

When the Customer invites an End Client into a Space, the End Client is asked to accept Donna’s end-user terms and to acknowledge our Privacy Policy as part of the in-app onboarding. This is a service we run on the Customer’s behalf. It does not displace the Customer’s own client engagement letter, costs disclosure, or the Customer’s privacy notices to its own clients.

The Customer warrants that, before the End Client is invited, the Customer has notified the End Client of the Customer’s use of the Platform in accordance with the Customer’s privacy notices and any applicable professional rules. The Customer agrees that obligations the Platform Agreement places on the Customer in respect of Authorised Users are passed through to End Clients to the extent of the End Client’s use of the Space.

Spaces support the following permission scopes. The Customer assigns one scope per invitee. The Customer may change a scope at any time.

The Customer may remove any person from a Space at any time. We do not owe an independent obligation to a removed user to maintain their access. Where access is removed, prior contributions made by that user remain in the Space history unless the Customer also deletes them.

Documents in this module are encrypted at rest using AES-256 and encrypted in transit using TLS 1.2 or higher. Documents are logically segregated by Customer tenancy. Encryption keys are managed in Microsoft Azure Key Vault. Customer-managed keys are available on request for tiers that include the option.

By default, documents persist in the module until the Customer deletes them. The Customer may configure retention rules at the matter or Space level, including time-based deletion and legal hold. We retain backups for the period set out in the Data Processing Addendum.

Where the Customer requires write-once-read-many storage for a regulated matter, the Customer may request immutable archival on a Space or a set of folders. Once enabled, documents in scope cannot be modified or deleted by Authorised Users for the configured retention period. We cannot reverse an immutable archival lock other than through the controlled procedures described in the Customer’s configuration and the Platform Agreement.

All documents and metadata stored in the module are Customer Data. We claim no ownership over the Customer’s files. Our rights are limited to processing the Customer Data on the Customer’s instructions to provide the Platform.

The configuration of a Workflow, including the prompts, branches, tool calls and parameters chosen by the Customer, is Customer Data. The Customer is responsible for what its Workflows do and for the Outputs they produce. We do not review Workflow configurations and we do not certify them.

Agents call tools provided by the Platform and, where the Customer has configured them, tools that wrap third-party services. We apply rate limits and concurrency caps to protect the Platform and the Customer’s tenancy. We may adjust those caps in good faith and on reasonable notice. Where a third-party tool has its own rate limits, the Customer is responsible for staying within them.

For the purposes of liability allocation under the Platform Agreement, the actions of an Agent operating inside a Customer Workflow are actions taken by the Customer using the Platform, not actions taken by us. We are responsible for the availability, integrity and security of the Platform that runs the Workflow. We are not responsible for the substantive correctness of the Agent’s decisions, save to the extent the Platform Agreement expressly provides.

The Customer may stop a Workflow or an Agent at any time using the Platform controls. We may stop or throttle a Workflow that is causing material risk to the Platform or to the Customer’s tenancy and will notify the Customer promptly when we do so.

In the standard configuration of the Platform, Donna allocates tenancies as follows. Customers principally established in Australia are hosted in Australia East (Sydney) as the primary region, with Australia Southeast (Melbourne) used for backup and disaster-recovery. Customers principally established in the European Economic Area, the United Kingdom, or Switzerland are hosted in North Europe (Ireland), unless Donna has allocated UK South (London) to the tenancy. Customers principally established in the United States or Canada are hosted in East US. Donna may revise these default allocations from time to time and will reflect any change on the Subprocessor list at /legal/subprocessors.

Where Donna proposes to relocate Customer Data at rest from one country to another, Donna will give the Customer not less than 30 days’ prior written notice. If the proposed relocation would result in a material change to the legal regime applicable to the Customer Data, the Customer may terminate the affected Order Form for convenience, without penalty, by written notice given before the proposed relocation takes effect. This right does not apply to changes within the same country, to failover within a paired region, or to routine inference and operational traffic to which other parts of these terms or the Data Transfers Addendum apply.

Donna may route AI inference and other transient processing to model Subprocessor regions outside the country in which Customer Data is hosted at rest. The current configuration is described on the Subprocessors page and is subject to the safeguards in the Data Transfers Addendum. Inference traffic is processed transiently for the purpose of generating the Output and is not used to retrain Subprocessor models.

Where the Customer is an APP entity under the Privacy Act 1988 (Cth), the Customer remains responsible for compliance with Australian Privacy Principle 8 in respect of disclosures of Personal Information to overseas recipients. The Data Transfers Addendum describes the contractual measures Donna has put in place with its Subprocessors that the Customer can rely on for the purposes of APP 8.2(a).

Beta features are provided on an as-is basis. The service-level commitments in the Support and Service Levels do not apply to a Beta feature. The Customer should not depend on a Beta feature for production use without separately satisfying itself of the feature’s suitability.

We may modify or withdraw a Beta feature at any time on reasonable notice. Where the withdrawal of a Beta feature materially affects the Customer’s use of the Platform, the Customer’s remedy is set out in section 11 in respect of materially adverse modifications.

Nothing in this section excludes, restricts or modifies any guarantee, right or remedy that cannot lawfully be excluded under the Australian Consumer Law. Where a Beta feature is supplied to a Customer that is a consumer for the purposes of the Australian Consumer Law, this section operates subject to section 12.

We apply per-tenancy and per-user rate limits to AI calls and API calls. Rate limits protect the stability of the Platform. Limits applicable to a Customer are visible in the administration console and may be adjusted in good faith on reasonable notice.

Subscription tiers are sized for the patterns of use described in our published documentation. Where the Customer’s use materially exceeds those patterns and creates risk to other Customers or to the Platform, we will contact the Customer to discuss a remediation. Where the issue persists after a reasonable opportunity to remediate, we may throttle or suspend the affected feature for the Customer’s tenancy on prior notice. We do not invoke this section as an alternative to a true-up of metered overage; it is reserved for disruptive patterns.

We may publish updates to our usage policy that describe the patterns we treat as fair, the rate limits applicable by tier, and the controls available to administrators. Updates take effect on the date stated and do not retrospectively reclassify earlier usage as out of policy.

By using the AI features of the Platform, the Customer agrees to comply with the flow-through obligations imposed by each model provider whose models are used to generate Outputs for the Customer. Those obligations sit alongside the Acceptable Use Policy and do not displace it.

We maintain current copies of the supplemental terms imposed by each model provider. We will provide a copy of the relevant supplemental terms on request. Where a model provider amends its supplemental terms, the Customer is bound by the amended terms from the date the amendment takes effect, subject to the materiality and notice mechanism in section 11.

Donna does not authorise the training of Subprocessor models on Customer Data, Inputs or Outputs. Our agreements with our model Subprocessors prohibit this use. The position is described further in the Data Processing Addendum and on the Subprocessors page.

An Authorised User may download an individual document from the document context menu in a Space, or select multiple documents and download them together using the bulk-download action. Documents are returned in the file format in which they were uploaded. An Authorised User may also export a draft from the in-editor export action, in the formats supported by that feature. Administrators may download organisation membership and usage reports as CSV files from the administration console.

Donna does not currently offer a public, programmatic API for bulk export of Customer Data. Where a Customer requires an export that is not available through the user interface, the Customer may contact Donna at support@bydonna.ai and we will work with the Customer to scope a reasonable response, typically through a one-off operator-assisted export.

The Customer’s right to export Customer Data on termination of the Platform Agreement is set out in the Platform Agreement and the Data Processing Addendum. The export methods available on termination are the same as those available during the term.

Where we replace a feature with a substantially equivalent successor at no additional charge, the substitution is not a materially adverse change. We document substitutions in our release notes.

Where a modification is materially adverse to the Customer’s use of a feature it has paid for, we will provide at least sixty (60) days’ prior written notice. The notice will describe the change, the date it takes effect and any available transition path.

Where a Customer is subject to a materially adverse modification, the Customer may terminate the affected module within thirty (30) days of the change taking effect. On termination under this section, we will refund the unused portion of any pre-paid fees attributable to the affected module, calculated on a pro-rata basis from the date of termination to the end of the then-current term. Termination of the affected module under this section is the Customer’s sole and exclusive remedy in respect of the modification, subject always to section 12 and to mandatory rights and remedies under the Platform Agreement.